<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Elasticsearch 安全机制深度解析</title>
    <link href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css" rel="stylesheet">
    <link href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            color: #333;
            line-height: 1.6;
        }
        h1, h2, h3, h4 {
            font-family: 'Noto Serif SC', serif;
            font-weight: 600;
        }
        .hero-gradient {
            background: linear-gradient(135deg, #3a7bd5 0%, #00d2ff 100%);
        }
        .code-block {
            background: #f8f9fa;
            border-left: 4px solid #3a7bd5;
        }
        .card-hover:hover {
            transform: translateY(-5px);
            box-shadow: 0 10px 20px rgba(0,0,0,0.1);
        }
        .section-divider {
            border-bottom: 1px solid #e2e8f0;
        }
        .feature-icon {
            color: #3a7bd5;
            font-size: 1.5rem;
        }
    </style>
</head>
<body class="bg-gray-50">
    <!-- Hero Section -->
    <section class="hero-gradient text-white py-20">
        <div class="container mx-auto px-6 max-w-4xl">
            <div class="flex flex-col items-center text-center">
                <h1 class="text-4xl md:text-5xl font-bold mb-4">Elasticsearch 安全机制</h1>
                <p class="text-xl md:text-2xl mb-8 max-w-2xl">全方位保障数据安全与系统稳定的关键策略</p>
                <div class="bg-white bg-opacity-20 p-4 rounded-lg inline-flex items-center">
                    <i class="fas fa-shield-alt mr-2"></i>
                    <span>数据安全 · 访问控制 · 加密传输</span>
                </div>
            </div>
        </div>
    </section>

    <!-- Main Content -->
    <main class="container mx-auto px-6 py-12 max-w-5xl">
        <!-- Introduction -->
        <section class="mb-16">
            <div class="bg-white rounded-xl shadow-md p-8">
                <p class="text-lg leading-relaxed text-gray-700">
                    Elasticsearch 的安全机制是确保数据安全和系统稳定性的关键部分。它包括认证、授权和数据加密三个主要方面，为企业和开发者提供了多层次的安全防护，防止未经授权的访问和数据泄露。
                </p>
            </div>
        </section>

        <!-- Authentication Section -->
        <section class="mb-20">
            <h2 class="text-3xl font-bold mb-8 flex items-center">
                <span class="mr-3"><i class="fas fa-user-check feature-icon"></i></span>
                <span>1. 认证 (Authentication)</span>
            </h2>
            <p class="text-gray-600 mb-8">认证是验证用户身份的过程，确保只有经过验证的用户才能访问集群资源。</p>

            <div class="grid md:grid-cols-2 gap-8">
                <!-- Basic Auth Card -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-user-lock mr-2 text-blue-500"></i>
                            基于用户名和密码的认证
                        </h3>
                        <p class="text-gray-600 mb-4">Elasticsearch 内置的基本认证机制允许使用用户名和密码进行认证。这是最常见的认证方式，适用于小型集群或开发环境。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.authc:
  realms:
    native:
      native1:
        order: 0</code></pre>
                        </div>
                    </div>
                </div>

                <!-- LDAP Card -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-network-wired mr-2 text-blue-500"></i>
                            LDAP/Active Directory 认证
                        </h3>
                        <p class="text-gray-600 mb-4">通过集成 LDAP 或 Active Directory 服务，可以将公司现有的用户目录与 Elasticsearch 集成，实现集中管理的认证方式。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.authc.realms:
  ldap.ldap1:
    type: ldap
    order: 1
    url: "ldap://localhost:389"
    bind_dn: "cn=admin,dc=example,dc=com"
    bind_password: "password"
    user_dn_templates:
      - "ou=users,dc=example,dc=com"</code></pre>
                        </div>
                    </div>
                </div>

                <!-- SAML Card -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-id-card mr-2 text-blue-500"></i>
                            SAML 认证
                        </h3>
                        <p class="text-gray-600 mb-4">Security Assertion Markup Language (SAML) 是一种用于单点登录（SSO）的标准协议，适用于与企业身份管理系统集成。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.authc.realms.saml.saml1:
  type: saml
  order: 2
  idp.metadata.path: /path/to/metadata.xml</code></pre>
                        </div>
                    </div>
                </div>

                <!-- OAuth Card -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-key mr-2 text-blue-500"></i>
                            OAuth 2.0 认证
                        </h3>
                        <p class="text-gray-600 mb-4">通过 OAuth 2.0 协议进行认证，适用于需要第三方认证服务的场景。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.authc.realms.oauth2.oauth2_1:
  type: oauth2
  order: 3
  client_id: "your-client-id"
  client_secret: "your-client-secret"</code></pre>
                        </div>
                    </div>
                </div>
            </div>
        </section>

        <!-- Authorization Section -->
        <section class="mb-20">
            <h2 class="text-3xl font-bold mb-8 flex items-center">
                <span class="mr-3"><i class="fas fa-user-shield feature-icon"></i></span>
                <span>2. 授权 (Authorization)</span>
            </h2>
            <p class="text-gray-600 mb-8">授权是确定经过认证的用户能访问哪些资源的过程。Elasticsearch 提供了细粒度的访问控制功能。</p>

            <!-- Mermaid Diagram -->
            <div class="bg-white rounded-xl shadow-md p-6 mb-8">
                <div class="mermaid">
                    graph TD
                        A[用户认证] --> B{授权检查}
                        B -->|通过| C[获取数据]
                        B -->|拒绝| D[访问被拒绝]
                        C --> E[文档级权限检查]
                        E -->|通过| F[返回数据]
                        E -->|拒绝| D
                </div>
            </div>

            <div class="grid md:grid-cols-2 gap-8">
                <!-- Built-in Roles -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-users-cog mr-2 text-blue-500"></i>
                            内置角色
                        </h3>
                        <p class="text-gray-600 mb-4">Elasticsearch 提供了一些默认角色，如 `superuser`、`kibana_user` 等，这些角色具有预定义的权限。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.role_mapping:
  superuser:
    - "cn=admin,dc=example,dc=com"</code></pre>
                        </div>
                    </div>
                </div>

                <!-- Custom Roles -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-user-edit mr-2 text-blue-500"></i>
                            自定义角色
                        </h3>
                        <p class="text-gray-600 mb-4">用户可以创建自定义角色，并为这些角色分配具体的权限，如索引权限、集群权限等。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.roles:
  my_custom_role:
    cluster: [ "all" ]
    indices:
      - names: [ "*" ]
        privileges: [ "read", "write" ]</code></pre>
                        </div>
                    </div>
                </div>

                <!-- Document Level -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <h3 class="text-xl font-bold mb-4 flex items-center">
                            <i class="fas fa-file-alt mr-2 text-blue-500"></i>
                            基于文档的权限控制
                        </h3>
                        <p class="text-gray-600 mb-4">支持基于文档内容的权限控制，可以定义哪些用户可以访问特定的数据。</p>
                        <div class="code-block p-4 rounded mb-4 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.roles:
  document_role:
    indices:
      - names: [ "documents" ]
        privileges: [ "read" ]
        query: '{"term": {"user": "current_user"}}'</code></pre>
                        </div>
                    </div>
                </div>
            </div>
        </section>

        <!-- Encryption Section -->
        <section class="mb-20">
            <h2 class="text-3xl font-bold mb-8 flex items-center">
                <span class="mr-3"><i class="fas fa-lock feature-icon"></i></span>
                <span>3. 数据加密</span>
            </h2>
            <p class="text-gray-600 mb-8">数据加密确保在存储和传输过程中数据的安全性。Elasticsearch 提供了多种加密机制来保护数据。</p>

            <div class="grid md:grid-cols-3 gap-6">
                <!-- At Rest -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <div class="flex items-center mb-4">
                            <div class="bg-blue-100 p-3 rounded-full mr-4">
                                <i class="fas fa-database text-blue-500 text-xl"></i>
                            </div>
                            <h3 class="text-xl font-bold">数据加密 at Rest</h3>
                        </div>
                        <p class="text-gray-600 mb-4">通过在磁盘上加密数据，防止未经授权的访问。Elasticsearch 支持通过 Elastic Stack 的安全套件进行数据加密。</p>
                        <div class="code-block p-4 rounded mb-2 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security:
  enabled: true
xpack.security.encryption:
  key: "your-encryption-key"</code></pre>
                        </div>
                    </div>
                </div>

                <!-- In Transit -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <div class="flex items-center mb-4">
                            <div class="bg-green-100 p-3 rounded-full mr-4">
                                <i class="fas fa-exchange-alt text-green-500 text-xl"></i>
                            </div>
                            <h3 class="text-xl font-bold">数据加密 in Transit</h3>
                        </div>
                        <p class="text-gray-600 mb-4">通过 TLS/SSL 加密网络流量，确保数据在传输过程中的安全性。</p>
                        <div class="code-block p-4 rounded mb-2 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.transport.ssl:
  enabled: true
  key: /path/to/your.key
  certificate: /path/to/your.crt
  certificate_authorities: [ "/path/to/ca.crt" ]</code></pre>
                        </div>
                    </div>
                </div>

                <!-- Key Management -->
                <div class="bg-white rounded-xl shadow-md overflow-hidden transition duration-300 card-hover">
                    <div class="p-6">
                        <div class="flex items-center mb-4">
                            <div class="bg-purple-100 p-3 rounded-full mr-4">
                                <i class="fas fa-key text-purple-500 text-xl"></i>
                            </div>
                            <h3 class="text-xl font-bold">密钥管理</h3>
                        </div>
                        <p class="text-gray-600 mb-4">使用密钥管理服务（如 HashiCorp Vault、AWS KMS 等）管理加密密钥，增强密钥管理的安全性。</p>
                        <div class="code-block p-4 rounded mb-2 overflow-x-auto">
                            <pre><code class="text-sm">xpack.security.encryption:
  key_vault:
    type: "hashi_vault"
    address: "http://localhost:8200"
    token: "your-vault-token"</code></pre>
                        </div>
                    </div>
                </div>
            </div>
        </section>

        <!-- Summary -->
        <section class="bg-blue-50 rounded-xl p-8">
            <h2 class="text-2xl font-bold mb-6 text-blue-800">安全机制总结</h2>
            <div class="grid md:grid-cols-3 gap-6">
                <div class="bg-white p-6 rounded-lg shadow">
                    <h3 class="font-bold text-lg mb-3 text-blue-700"><i class="fas fa-user-check mr-2"></i>认证</h3>
                    <ul class="list-disc pl-5 text-gray-600">
                        <li class="mb-1">用户名密码认证</li>
                        <li class="mb-1">LDAP/AD集成</li>
                        <li class="mb-1">SAML SSO</li>
                        <li>OAuth 2.0</li>
                    </ul>
                </div>
                <div class="bg-white p-6 rounded-lg shadow">
                    <h3 class="font-bold text-lg mb-3 text-blue-700"><i class="fas fa-user-shield mr-2"></i>授权</h3>
                    <ul class="list-disc pl-5 text-gray-600">
                        <li class="mb-1">内置角色</li>
                        <li class="mb-1">自定义角色</li>
                        <li>文档级权限控制</li>
                    </ul>
                </div>
                <div class="bg-white p-6 rounded-lg shadow">
                    <h3 class="font-bold text-lg mb-3 text-blue-700"><i class="fas fa-lock mr-2"></i>加密</h3>
                    <ul class="list-disc pl-5 text-gray-600">
                        <li class="mb-1">数据存储加密</li>
                        <li class="mb-1">传输加密</li>
                        <li>密钥管理</li>
                    </ul>
                </div>
            </div>
        </section>
    </main>

    <!-- Footer -->
    <footer class="bg-gray-900 text-gray-300 py-8">
        <div class="container mx-auto px-6">
            <div class="flex flex-col items-center">
                <div class="mb-4">
                    <span class="text-xl font-medium text-white">技术小馆</span>
                </div>
                <div>
                    <a href="http://www.yuque.com/jtostring" class="text-blue-300 hover:text-white transition duration-200">
                        <i class="fas fa-globe mr-2"></i>http://www.yuque.com/jtostring
                    </a>
                </div>
            </div>
        </div>
    </footer>

    <script>
        // Initialize Mermaid
        mermaid.initialize({
            startOnLoad: true,
            theme: 'default',
            flowchart: {
                useMaxWidth: false,
                htmlLabels: true,
                curve: 'basis'
            }
        });
    </script>
</body>
</html>